A Rundown of the Biggest Cybersecurity Incidents of 2016

Most persistent cybercriminals: Ransomware attackers

Ransomware has proved to be a popular business model for cybercriminals. It has attracted attention from several parts of the underground—as evidenced by the 172% increase in new ransomware families in the first half of 2016. And these attackers didn't limit themselves to just creating and updating tools. They continued to hammer old targets as they widened their pool of potential victims and adopted new methods to make their attacks more lucrative.

The healthcare and education sectors have been long-time ransomware targets, and that trend continued this year. Here are a few of the year's notable ransomware attacks on these sectors:

In early February, the Hollywood Presbyterian Medical Center was hit by a ransomware attack that knocked the hospital’s network offline. The attack heavily affected the facility's daily operations, as urgent scans, lab work, pharmaceutical needs, and documentation couldn't be processed. The systems were down for more than a week before the hospital reportedly paid the ransom of 40 Bitcoins, which amounted to $17,000.

MedStar is one of America’s leading healthcare providers with a network of ten hospitals and 250 outpatient centers under its name—many of which were affected as ransomware attackers paralyzed their systems in late March. The organization acted quickly and took down all system interfaces to prevent the malware from spreading. The ransom was set at 45 bitcoins (around $19,000) with a ten-day deadline, but MedStar was reportedly able to bring their systems back online without paying.

In late May, a ransomware attack crippled multiple systems connected to the university’s network. While the staff was able to isolate some of the affected machines so that most systems were operational, the university decided that it was the best course of action to pay the $20,000 demanded by the attackers because of the risk to critical data and valuable research.

Operators of Ransomware-as-a-Service (RaaS) also shifted gears this year. Establishedvariants gave way to new RaaS that use a different business model with lower license prices and software that allowed less tech-savvy distributors to spread ransomware.

Creators earn money by taking a cut from the distributors of their ransomware, and as RaaS becomes cheaper and easier to find, it has become more mainstream. By enlisting a large network of distributors, ransomware is spread to more victims, which equates to a bigger potential for profit for its creators. One example is the Shark ransomware that was hosted on a public WordPress site, and not the usual anonymous network typically favored by other ransomware authors. Shark also had a guide on customization, distributor tips on how much ransom to demand, and other useful documents. Creators took 20% of the ransom collected while distributors got 80%.

Ransomware attacks on small and medium businesses grew exponentially this past year. This independent report maintains that the number of attacks is eight times higher in 2016 than during the same time in 2015. We’ve also seen malware designed to target the smaller network environments of SMBs. Attackers are shifting their focus to smaller companies based in communities that have little experience with ransomware, as seen in the attack on small businesses based in Waukesha County, Wisconsin:

Menomonee Falls is a small village in Waukesha County, Wisconsin with a population of around 35,000. This year marked the first time that the local authorities had to deal with ransomware attacks on businesses operating in their jurisdiction. In October, a local woodworking company was hit by a ransomware attack that crippled their computer systems and demanded eight bitcoin.

Attackers are also branching out from hitting private companies to extorting public services. The recent San Francisco Municipal Transportation Agency (SFMTA) ransomware attack left the trains running smoothly, but the ticketing systems a mess. The organization took a strong stand against the attackers and managed the problem themselves.

During Thanksgiving weekend, one of the busiest weekends of the year, San Francisco commuters got to ride the train for free as ransomware attackers infiltrated the SFMTA ticketing systems, which the organization was forced to take offline. The attackers claimed to have compromised 2,000 computer systems and stolen 30 gigabytes of important data. The attackers demanded a ransom of 100 bitcoins (around $73,000), but SFTA officials “never considered paying it”. Their IT team restored the systems over the weekend, and normal operations resumed on Sunday.

Mac devices are harder to hack and have a smaller market share compared to its competitors, making them less attractive to practical and profit-driven ransomware attackers. However, it's getting attention from ransomware developers because of the steadily increasing number of users, and the low-level of competition in the Mac-ransomware field.

The ransomware dubbed KeRanger (detected by Trend Micro as RANSOM_KERANGER.A) was specifically designed to target Mac OS X machines. It was discovered in early March when users found malicious files in Transmissions 2.90, a popular BitTorrent client. Estimated to have affected 6,500 victims, the overall impact was relatively small compared to other ransomware. The concern comes from it being the first functional Mac ransomware, an indicator that attackers are honing their tools to target Mac users specifically.

Ransomware has proved to be a popular business model for cybercriminals. It has attracted attention from several parts of the underground—as evidenced by the 172% increase in new ransomware families in the first half of 2016. And these attackers didn't limit themselves to just creating and updating tools. They continued to hammer old targets as they widened their pool of potential victims and adopted new methods to make their attacks more lucrative.

Most expensive attacks: Leoni and Bangladesh Bank

Large multinational companies are the prime targets of Business Email Compromise (BEC), which is a type of online scam that usually begins with an attacker compromising a legitimate email account and tricking the company’s financial officer to wire funds to their accounts. Typically the companies that fall victim to these scams deal with foreign suppliers and habitually use wire transfer payments. Victims of BEC scams have increased 270% since the start of 2015, and this year saw one of the largest amounts lost by an enterprise:

Leoni AG is a cable and harnessing manufacturing company based in Germany. In August of this year, the CFO of the company’s factory in Romania was tricked into transferring €40 million to an unknown bank account. The scammer spoofed an email to look like it was sent by a top executive, and crafted the request to comply with the internal policies of Leoni. Because the request seemed authentic enough, the CFO wired to money.

Business Process Compromise (BPC) is considered a variation of the BEC scam. Instead of using spoofed accounts and convincing emails, BPC schemes aim to exploit business practices, systems, operational loopholes, and the organizational structure of the enterprise.

The technique used in BPCs can be likened to a persistent and targeted attack, but instead of gathering information or sabotage, the scheme's primary goal is to make a profit. Attackers gain footholds in the target organization, move laterally from the point of compromise, and map out the organization’s infrastructure and communications to look for weak points. One bank suffered a huge loss to this type of attack just this year:

In one of the biggest bank heists in history, hackers acquired the SWIFT credentials of an operator at Bangladesh Bank and also installed multiple types of malware in their system. In early February, they began to send requests from Bangladesh Bank to the Federal Reserve Bank of New York to transfer funds to accounts in Sri Lanka and the Philippines. They timed their request to coincide with the weekend—a tactic to avoid being discovered. The hackers also tampered with the bank’s printing system so that the SWIFT acknowledgment receipts which registered the fraudulent transactions wouldn’t be printed and tracked by employees.

A total of US$81 million was lost, and the aftermath of the heist saw many questioning the processes of money transfers and communication between the bank and NY Fed. The incident also warranted a look into the security weaknesses of SWIFT processes.

Large multinational companies are the prime targets of Business Email Compromise (BEC), which is a type of online scam that usually begins with an attacker compromising a legitimate email account and tricking the company’s financial officer to wire funds to their accounts. Typically the companies that fall victim to these scams deal with foreign suppliers and habitually use wire transfer payments. Victims of BEC scams have increased 270% since the start of 2015, and this year saw one of the largest amounts lost by an enterprise.

Biggest attack vector in finance: SWIFT

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a global transaction messaging network used by banks and other financial entities such as foreign exchanges and investment firms. Unfortunately, this year saw attackers targeting SWIFT clients, compromising and manipulating organizations into sending fraudulent money transfer requests. It’s unclear how many of these attacks were actually successful, but in June, SWIFT sent its clients a letter warning them about the possible dangers. The organization also urged clients to update their software and tighten their cyber defenses.

Bangladesh Bank was the highest profile victim of SWIFT fraudsters, but it was also disclosed that Ecuadorean bank Banco del Austro fell victim to a SWIFT attack in 2015. The bank lost $12 million when hackers gained access to the codes the bank used to move money via SWIFT. The stolen cash was moved to accounts in Hong Kong, Dubai, New York and Los Angeles. Reports also detailed a failed attempt in late 2015 to steal money from Vietnam's Tien Phong Bank.

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a global transaction messaging network used by banks and other financial entities such as foreign exchanges and investment firms. Unfortunately, this year saw attackers targeting SWIFT clients, compromising and manipulating organizations into sending fraudulent money transfer requests. It’s unclear how many of these attacks were actually successful, but in June, SWIFT sent its clients a letter warning them about the possible dangers. The organization also urged clients to update their software and tighten their cyber defenses.

Most prolific patches: Microsoft

Microsoft has been regularly releasing its fixes on Patch Tuesday for over a decade now, and 2016 has been its busiest year. In 2015, Microsoft released 135 updates in total—a count easily eclipsed this year, already reaching 142 in November.

The patches come regularly, with some months delivering more critical fixes than others. There were multiple incidents that involved exploiting Windows vulnerabilities, with one recently causing some disagreements. In November, Microsoft released a patch for a zero-day vulnerability that was previously announced by Google. The exploit abused a flaw in the win32k system that allowed attackers to escape from Window’s security sandbox. The Google team reported that it was being actively exploited by malware attackers, while Microsoft disagreed with the seriousness of the bug and the speed of their announcement.

Microsoft has been regularly releasing its fixes on Patch Tuesday for over a decade now, and 2016 has been its busiest year. In 2015, Microsoft released 135 updates in total—a count easily eclipsed this year, already reaching 142 in November.

Worst all-around troublemaker: Mirai

Distributed Denial of Service (DDoS) captured the spotlight this year because of massive attacks against several high-profile targets. The fuel behind these attacks is Mirai, the ELF malware that turns devices into bots used for performing DDoS attacks. ELF is a common file format for Linux and UNIX-based systems, which makes many Internet of Things (IoT) devices particularly vulnerable.

A few factors contributed to the strength of the DDoS incidents: firstly, the source code of Mirai was made public, allowing a whole new pool of DDoS attackers to come into play. Mirai’s public source is en route to becoming the “ZeuS” of this movement—the core template that everyone copies. Secondly, the increasing number of unsecured Internet of Things (IoT) devices means that plenty of devices were easily compromised and used for botnets.

Mirai has been responsible for the largest DDoS attacks we’ve seen these past few months, and we’ve seen which devices it has compromised—from CCTV cameras, DVRs, home networking equipment and most recently routers. Here are the most significant incidents caused by Mirai:

The security researcher published a detailed blog on a DDoS-for-hire group and found himself fighting off 620 Gbps of malicious traffic—the biggest DDoS attack recorded at the time. The attack shut down his site for days, but went back online after receiving help from Google’s Project Shield. This was the beginning of a wave of huge DDoS attacks.

A massive DDoS attack on DNS provider Dyn affected major websites and millions of users across the East Coast. The attack reportedly reached up to 1.2 Tbps, affecting sites like Twitter, Reddit, Netflix, Spotify and more. Initial analysis pointed to an estimated 100,000 compromised Internet of Things devices, which were turned into bots by the Mirai malware.

Prolonged DDoS attacks hit five Russian banks in early November, though online client services went on as usual. The attacks lasted over two days and reportedly involved at least 24,000 computers across 30 countries.

Distributed Denial of Service (DDoS) captured the spotlight this year because of massive attacks against several high-profile targets. The fuel behind these attacks is Mirai, the ELF malware that turns devices into bots used for performing DDoS attacks. ELF is a common file format for Linux and UNIX-based systems, which makes many Internet of Things (IoT) devices particularly vulnerable.

First successful cyberattack on an industrial facility: Ukrainian power grid

Prior to this event, a Trend Micro report already revealed attackers showing interest in the critical infrastructure of various industries. Specifically, attackers were targeting enterprises using Supervisory Control and Data Acquisition (SCADA), which is an automation control system at the center of many modern industries.

This attack on the Ukrainian power grid is the first confirmed instance of hackers leveraging malware to access SCADA systems and cause a power outage:

Three regional electric power distribution companies in Ukraine experienced unscheduled power outages caused by a coordinated cyberattack. It lasted an estimated 3 hours and impacted around 250,000 customers. The hackers accessed the SCADA networks through hijacked VPNs, and from there they were able to control the power grid. They didn’t just cut power to the customers, but also made sure to leave operators powerless too. Reports detailed that the companies had been infected with the BlackEnergy malware, which played a role in the attack but was likely not the only cause of the outage. The KillDisk module within BlackEnergy was executed at the end of the attack, wiping some systems and rendering others inoperable. This situation shows the increasing sophistication of attacks on industrial control systems—BlackEnergy is evolving to work in multiple areas and increasing its effectivity.

Prior to this event, a Trend Micro report already revealed attackers showing interest in the critical infrastructure of various industries. Specifically, attackers were targeting enterprises using Supervisory Control and Data Acquisition (SCADA), which is an automation control system at the center of many modern industries.

Biggest data breach: Yahoo

In a year of mega-breaches, Yahoo has the distinction of potentially exposing the biggest number of users to risks. And since a lot of users reuse their passwords and usernames across different sites, multiple accounts become vulnerable. Cybercriminals use a technique called credential stuffing—using usernames and passwords from one account to hack other accounts.

Last September, Yahoo confirmed a massive breach that left 500 million users compromised. The breach included names, email addresses, phone numbers, and encrypted passwords. The company announced that the data came from a 2014 intrusion into its systems by “state sponsored actors”. This confirmation came in the middle of Verizon Communications' acquisition of Yahoo for $4.8 billion, possibly impacting the deal.

On December 14, only two months after the 2014 breach was reported, news came of an even larger breach. The company disclosed that more than one billion users were compromised, making it the biggest breach on record. Yahoo clarified that this was a distinct breach from the September announcement, and that it likely came from a 2013 attack.

In a year of mega-breaches, Yahoo has the distinction of potentially exposing the biggest number of users to risks. And since a lot of users reuse their passwords and usernames across different sites, multiple accounts become vulnerable. Cybercriminals use a technique called credential stuffing—using usernames and passwords from one account to hack other accounts.

Most politically charged breach: DNC hack

The Democratic National Committee (DNC) leak had a powerful impact on relations between Russia and the United States. Months after the initial leak and a thorough investigation, the US formally accused Russia of cyber-espionage and attempting to influence the US election.

A collection of over 19,000 emails from the DNC, the governing body of the Democratic Party of the United States, was leaked and published by WikiLeaks. This resulted in the resignation of DNC chair Debbie Wasserman Schultz as well as other prominent members of the committee. Reports also speculated that the leak may have influenced the outcome of the national elections.

The Democratic National Committee (DNC) leak had a powerful impact on relations between Russia and the United States. Months after the initial leak and a thorough investigation, the US formally accused Russia of cyber-espionage and attempting to influence the US election.

Unanticipated discoveries: Apple zero-days

While the existence of Apple malware isn’t a surprise, the level of sophistication of the exploits is notable. The researchers who first investigated the malware called it, “the most sophisticated mobile attack we’ve seen yet, and marks a new era of mobile hacking.”

Three zero-day vulnerabilities were identified and dubbed “Trident”. The chain of vulnerabilities could be leveraged to spy on the individual, collecting information from messaging apps, email, social media, and others. Trident was discovered when an activist in the UAE received text messages he identified as suspicious. He reported it to Citizen Lab, a research facility based in Toronto which worked with mobile security firm Lookout to gather more information about the vulnerabilities. Apple quickly issued a patch and widely urged customers to update to the latest version of the OS.

While the existence of Apple malware isn’t a surprise, the level of sophistication of the exploits is notable. The researchers who first investigated the malware called it, “the most sophisticated mobile attack we’ve seen yet, and marks a new era of mobile hacking.”

Perennially vulnerable: Adobe Flash

Constant security issues with Adobe Flash have caused most users to migrate to alternatives like HTML5. The situation worsened when Google started actively blocking Flash content on its Chrome browser, leaving users to enable Flash on a site-by-site basis.

The number of Flash vulnerabilities discovered in 2016 was comparable with previous years, however, there were still several serious zero-days found and exploited. In late October, espionage group Pawn Storm ramped up its global spear-phishing campaign using a Flash zero-day even after a patch was issued. Both Adobe and Microsoft provided fixes, but the hackers still expanded the campaign. No doubt they were trying to get as many victims as possible before users updated their software.

Constant security issues with Adobe Flash have caused most users to migrate to alternatives like HTML5. The situation worsened when Google started actively blocking Flash content on its Chrome browser, leaving users to enable Flash on a site-by-site basis.

2019 SECURITY PREDICTIONS

Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape.View the 2019 Security Predictions

2018 MIDYEAR SECURITY ROUNDUP

A review of the first half of 2018 shows a threat landscape that not only has constant and familiar features but also has morphing and uncharted facets: Ever-present threats steadily grew while emerging ones used stealth. View the 2018 Midyear Security Roundup